[NTLUG:Discuss] Encrypted network traffic on a local network
Leroy Tennison
leroy_tennison at prodigy.net
Fri Jul 6 00:11:37 CDT 2007
Dennis Rice wrote:
> ----------------------
> On 5 July Leroy Tennison said:
> Have been testing ipsec-tools and realized that it is for either
> host-to-host encryption or an encrypted tunnel between two networks.
> Is there a way to have data transmissions between all hosts on a given
> network encrypted? To do this with IPSec it appears that you would have
> to set up host-to-host SAs for every combination of source and
> destination host.
> ----------------------
>
> Leroy,
> Although I have not yet gotten to the stage of playing around with the
> problem yet as you have, there are a few requirements that need to be
> set up.
>
> First, to use IPSec, a VPN is set up between two agents. The next
> question, who are the agents. Naturally, the agents can be the end
> hosts, but this will require a separate encryption key for every link -
> 5 hosts means 10 different keys to allow everyone to talk to everyone
> else in an encrypted mode. This provides total encryption of the
> message, even on the local network. Difficult to manage but doable on a
> small network.
>
> The next step is to set up a gateway / router to perform the encryption
> between LANs. This is important in that transmitting a file from a user
> host to the VPN gateway will still be in clear-text, but the file
> between VPN gateways will be encrypted. In this situation, the VPN is
> established between the two Gateways, hence only one public key set must
> be managed (much easier). Note that this is the system gateway, all
> user hosts have to be pointed to this system as the default gateway. If
> a VPN link is not available to the remote location, then the gateway
> will just forward the message unencrypted. If this gateway is still
> inside of the network and has another gateway to go through, then it
> will forward accordingly (set up a static route from the VPN gateway to
> the Internet router).
>
> If a user host continues to point to the Internet router, there will be
> no way for the data to be encrypted, the user host default gateway must
> be the VPN gateway.
>
> Unfortunately, I have not yet gotten to the stage of setting up a VPN on
> Linux, but I am looking forward to it. Would always look forward to
> your assistance for documenting and putting into my book.
>
> Dennis
>
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>
>
http://www.ipsec-howto.org/x304.html has a pretty good tutorial on IPSec
using ipsec-tools. My search of the web found very few articles
specifically using ipsec-tools (most were *swan), maybe I searched for
the wrong thing. Anyway, here's what I've discovered so far, I would
have sent an OO document but 1) it's state right now is "notes to
myself" and 2) I don't have your direct email address. Anyway, what
I've learned isn't that involved (although the post is long). My setup
is a bit constrained because I "only have three machines" - one of these
days I'll get around to virtual machines but one thing at a time.... My
setup is as follows:
[Nic1 - host1 - Nic2] ---- [ 8-port hub ] ---- [Nic3 host2 - Nic4]
|
|
[host3] (running WireShark)
Nic1 and Nic4 don't even have a network connection, just a static IP
address. Using 'ping -I ...' and forcing vsftpd to listen on only Nic1
served the purpose.
Troubleshooting (from experience ...):
1. Run racoon in foreground mode (-F) with logging (-l)
2. If you get parse errors look to see that the (or all) previous
line(s) is (are) terminated with a semi-colon
3. If you get a "failed to get sainfo" check to make sure both sainfo
addresses are correct: for tunnel mode do both have the CIDR
specification? (netmask bits)
4. If you get "Resource Temporarily unavailable" check the racoon
output. If it doesn't have any error messages then this may indeed
indicate a temporary condition - try the test again in a few seconds.
5. Turn off the firewall on both hosts for testing
6. Always use a packet analyzer to see what is going on
7. Create a setkey file with only flush; and spdflush; so you can turn
off ipsec easily if needed.
8. For tunnel mode, ping without ipsec first to confirm connectivity,
use 'route add' to add remote address
First, create the certificates as follows -
openssl req -config openssl.cnf -new -nodes -out <host 1>.req -keyout
<host 1>.key
no OU, email address, challenge password or optional company name
basically accept defaults except for host name
repeat for <host 2>
openssl ca -config openssl.cnf -in <host 1>.req -out <host 1>.crt
repeat for <host 2>
openssl x509 -noout -hash -in <host 1>.crt
Create a symbolic link (ln -s <host 1>.crt ____.0) replacing the
underscores with the output of the above command. The appended ".0" is
a tie breaker in case there are identical hash values?!
repeat for <host 2> AND cacert.pem
Place files (cacert.pem, it's hash symbolic link, the local host's
certificate file, it's symbolic link and the local host's private key)
in /etc/racoon/certs (this is the CentOS5 location, it can vary).
IP addresses in the following configurations are:
1.2.3.4 Nic1
10.12.14.16 Nic2
10.12.14.22 Nic3
5.6.7.8 Nic4
Here are the annotated configuration files of a working setup (one odd
thing did surface in testing, with IPSec enabled on host1 and host2 I
couldn't ftp from host3 to host1 even though the combination wasn't
included as a part of the IPSec configuration - need to do more research):
Racoon.conf from host1:
path certificate "/etc/racoon/certs";
remote 10.12.14.22 {
exchange_mode main ;
certificate_type x509 "certificate.pem" "privatekey.pem" ;
verify_cert on ;
my_identifier asn1dn ;
peers_identifier asn1dn ;
proposal {
encryption_algorithm 3des ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group modp1024 ;
}
}
# "Other network" to "other network" (networks not common to the
IPSec hosts)
sainfo address 1.2.3.0/24 any address 5.6.7.0/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
# Local side IPSec host to remote "Far end"
sainfo address 10.12.14.16/24 any address 5.6.7.0/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
# Local "Far end" to remote side IPSec host
sainfo address 1.2.3.0/24 any address 10.12.14.22/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
#Local side IPSec host to remote side IPSec host
sainfo address 10.12.14.16/24 any address 10.12.14.22/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
Notes on racoon.conf -
In tunnel mode the IPSec hosts are not automatically included in the
IPSec protection. Each combination had to be specified. The last
configuration (IPSec host to IPSec host) had to be added in order for a
ping between the hosts to be encrypted.
setkey.conf from host1 - a file created for convenience to use with setkey
flush;
spdflush;
# "Far end" to "Far end" (networks not common to the IPSec hosts)
spdadd 1.2.3.0/24 5.6.7.0/24 any -P out ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
spdadd 5.6.7.0/24 1.2.3.0/24 any -P in ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
# Local side IPSec host to remote "Far end"
spdadd 10.12.14.16/24 5.6.7.0/24 any -P out ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
spdadd 5.6.7.0/24 10.12.14.16/24 any -P in ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
# Local "Far end" to remote side IPSec host
spdadd 1.2.3.0/24 10.12.14.22/24 any -P out ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
spdadd 10.12.14.22/24 1.2.3.0/24 any -P in ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
#Local side IPSec host to remote side IPSec host
spdadd 10.12.14.16/24 10.12.14.22/24 any -P out ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
spdadd 10.12.14.22/24 10.12.14.16/24 any -P in ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
Racoon.conf from host2:
path certificate "/etc/racoon/certs";
remote 10.12.14.16 {
exchange_mode main ;
certificate_type x509 "IBM13GB.crt" "IBM13GB.key" ;
verify_cert on ;
my_identifier asn1dn ;
peers_identifier asn1dn ;
proposal {
encryption_algorithm 3des ;
hash_algorithm sha1 ;
authentication_method rsasig ;
dh_group modp1024 ;
}
}
# "Far end" to "Far end" (networks not common to the two IPSec hosts)
sainfo address 5.6.7.0/24 any address 1.2.3.0/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
# Local side IPSec host to remote "Far end"
sainfo address 10.12.14.22/24 any address 1.2.3.0/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
# Local "Far end" to remote side IPSec host
sainfo address 5.6.7.0/24 any address 10.12.14.16/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
# Local side IPSec host to remote side IPSec host
sainfo address 10.12.14.22/24 any address 10.12.14.16/24 any {
pfs_group modp1024 ;
lifetime time 1 hour ;
encryption_algorithm 3des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
setkey.conf from host2 - a file created for convenience to use with setkey
flush;
spdflush;
# "Far end" to "Far end" (networks not common to the two IPSec hosts)
spdadd 5.6.7.0/24 1.2.3.0/24 any -P out ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
spdadd 1.2.3.0/24 5.6.7.0/24 any -P in ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
# Local side IPSec host to remote "Far end"
spdadd 10.12.14.22/24 1.2.3.0/24 any -P out ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
spdadd 1.2.3.0/24 10.12.14.22/24 any -P in ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
# Local "Far end" to remote side IPSec host
spdadd 5.6.7.0/24 10.12.14.16/24 any -P out ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
spdadd 10.12.14.16/24 5.6.7.0/24 any -P in ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
# Local side IPSec host to remote side IPSec host
spdadd 10.12.14.22/24 10.12.14.16/24 any -P out ipsec
esp/tunnel/10.12.14.22-10.12.14.16/require;
spdadd 10.12.14.16/24 10.12.14.22/24 any -P in ipsec
esp/tunnel/10.12.14.16-10.12.14.22/require;
More information about the Discuss
mailing list